Brett Klamer

The Complete Installation Guide for Xubuntu 20.04

This is a guide for installing Xubuntu 20.04 – the hard way. The partitioning scheme is laid out as:

|                         ||            ||           || Logical volume1 XX GB       |
|                         ||            ||           || /dev/mapper/ubuntu--vg-root |
| 768 MB                  ||            || 128 MB    ||_ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
| dm-crypt LUKS LVM       || 2 MB       || EFI       || dm-crypt LUKS LVM           | 
| /dev/mapper/LUKS_BOOT   || bios_boot  || System    || /dev/mapper/sda5_crypt      |
|_ _ _ _ _ _ _ _ _ _ _ _ _|| GRUB Core  || Partition || _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
| dm-crypt LUKS partition ||            ||           || dm-crypt LUKS encrypted     |
| /dev/sda1               || /dev/sda2  || /dev/sda3 || /dev/sda5                   |


  1. You may need to change some options for your install.
  2. Test in a virtual machine before use. Real hardware will still be different.
  3. If grub gets installed on the USB installation device, simply reboot with the installation USB, login, and run sudo dpkg-reconfigure grub-pc. This will show a text interface where you can choose the installation disk(s).


Install Xubuntu 20.04 with dm-crypt LUKS encryption for all partitions

  1. Download Xubuntu 20.04 at

  2. Create a bootable USB. I suggest using

  3. Make sure you are using UEFI on the computer.

  4. Reboot computer from USB.

  5. Installer boot menu

    1. Try Xubuntu without installing
  6. Follow directions from for full partition encryption.

    1. Open the terminal

      # Identify installation device
      # Switch to root user
      sudo -i
      # Determine the target drive location
      # Save shortcut reference to drive location
      export DEV="/dev/sda"
      # ***If using an NVME device use this instead***
      #export DEV="/dev/nvme0n1"
      # Shortcut reference to encrypted device mapper without leading `/dev/`
      export DM="${DEV##*/}"
      # NVME devices need a 'p' before partition number. i.e. "nvme0n1p1".
      export DEVP="${DEV}$( if [[ "$DEV" =~ "nvme" ]]; then echo "p"; fi )"
      export DM="${DM}$( if [[ "$DM" =~ "nvme" ]]; then echo "p"; fi )"
      # Partitioning
      # Check for pre-existing partitions
      sgdisk --print $DEV
      # ***If safe to delete all partitions***
      #sgdisk --zap-all $DEV
      # If anything goes wrong, check Gparted or `fdisk -l $DEV`.
      sgdisk --new=1:0:+768M $DEV
      sgdisk --new=2:0:+2M $DEV
      sgdisk --new=3:0:+128M $DEV
      sgdisk --new=5:0:0 $DEV
      sgdisk --typecode=1:8301 --typecode=2:ef02 --typecode=3:ef00 --typecode=5:8301 $DEV
      sgdisk --change-name=1:/boot --change-name=2:GRUB --change-name=3:EFI-SP --change-name=5:rootfs $DEV
      sgdisk --hybrid 1:2:3 $DEV
      # LUKS Encryption
      # Make sure to use luks version 1 on /boot/ since GRUB requires it.
      cryptsetup luksFormat --type=luks1 ${DEVP}1
      # The system partition
      cryptsetup luksFormat ${DEVP}5
      cryptsetup open ${DEVP}1 LUKS_BOOT
      cryptsetup open ${DEVP}5 ${DM}5_crypt
      ls /dev/mapper/
      # Format file systems
      mkfs.ext4 -L boot /dev/mapper/LUKS_BOOT
      mkfs.vfat -F 16 -n EFI-SP ${DEVP}3
      # LVM Logical Volume Manager
      pvcreate /dev/mapper/${DM}5_crypt
      vgcreate ubuntu--vg /dev/mapper/${DM}5_crypt
      # If you want a swap partition/volume
      #lvcreate -L 1G -n swap_1 ubuntu--vg
      lvcreate -l 80%FREE -n root ubuntu--vg
    2. Keep terminal open, but switch back to proceeding with installation.

  7. Installer main menu

    1. Keyboard layout

      1. English (US)
    2. Updates and other software

      1. Download updates while installing Xubuntu
      2. Install third-party software
    3. Installation type

      1. Something else
        1. Select the root file-system device for formatting (/dev/mapper/ubuntu--vg-root), press the Change button, choose Use As Ext4 and Mount point /.
        2. If you created a swap volume: Select the swap device (/dev/mapper/ubuntu–vg-swap_1), press the Change button, choose Use as swap area.
        3. Select the Boot file-system device for formatting (/dev/mapper/LUKS_BOOT), press the Change button. choose Use as Ext4… and Mount point /boot
        4. Select the boot-loader device (/dev/sda for example). Boot-loader device should always be a raw disk not a partition or device-mapper node.
        5. Press the Install Now button to write the changes to the disk and press the Continue button.
    4. Where are you

    5. Who are you

      • After finishing this step, immediately perform next step. The next step needs to be run before installation is finished in the background?
    6. Open the terminal

      1. while [ ! -d /target/etc/default/grub.d ]; do sleep 1; done; echo "GRUB_ENABLE_CRYPTODISK=y" > /target/etc/default/grub.d/local.cfg
        • Check file for successful addition of text.
    7. After successful installation, choose continue testing.

    8. Open the terminal

      # chroot environment
      mount /dev/mapper/ubuntu--vg-root /target
      for n in proc sys dev etc/resolv.conf; do mount --rbind /$n /target/$n; done
      chroot /target
      mount -a
      # Configure cryptsetup-initramfs and key file
      apt install -y cryptsetup-initramfs
      # Note that since we chroot'd to `/target` the following changes will be
      # made in the files at the /target path.
      echo "KEYFILE_PATTERN=/etc/luks/*.keyfile" >> /etc/cryptsetup-initramfs/conf-hook
      echo "UMASK=0077" >> /etc/initramfs-tools/initramfs.conf
      mkdir /etc/luks
      dd if=/dev/urandom of=/etc/luks/boot_os.keyfile bs=4096 count=1
      chmod u=rx,go-rwx /etc/luks
      chmod u=r,go-rwx /etc/luks/boot_os.keyfile
      cryptsetup luksAddKey ${DEVP}1 /etc/luks/boot_os.keyfile
      cryptsetup luksAddKey ${DEVP}5 /etc/luks/boot_os.keyfile
      echo "LUKS_BOOT UUID=$(blkid -s UUID -o value ${DEVP}1) /etc/luks/boot_os.keyfile luks,discard" >> /etc/crypttab
      echo "${DM}5_crypt UUID=$(blkid -s UUID -o value ${DEVP}5) /etc/luks/boot_os.keyfile luks,discard" >> /etc/crypttab
      update-initramfs -u -k all
  8. Reboot the computer. You should be asked for the password at GRUB.

Post install suggestions

  1. Edit the hosts file

    1. Grab the hosts file from
    2. paste into /etc/hosts
  2. Update the Linux kernel.

    1. If you want a specific kernel
      1. Download the following from
        1. linux-headers-5.*-generic_*_amd64.deb
        2. linux-headers-5.*_all.deb
        3. linux-image-unsigned-5.*-generic_*_amd64.deb
        4. linux-modules-5.*-generic_*_amd64.deb
      2. Open terminal in download location and run
        1. sudo dpkg -i linux-headers*.deb
        2. sudo dpkg -i linux-modules*.deb
        3. sudo dpkg -i linux-image*.deb
        4. sudo update-grub
      3. Restart computer
      4. Check kernel being used with
        1. uname -a
      5. Remove old kernels if /boot gets full
    2. If you want the LTS updated Kernel. Reference
  3. Enable the firewall.

    sudo ufw enable
    sudo ufw default deny outgoing
    sudo ufw default deny incoming
    sudo ufw allow out to any port 80
    sudo ufw allow out to any port 443
    sudo ufw allow out to any port 53
    # additional ports to allow out
    # brother printer: 54925, 54926, 137, 161
    sudo ufw reload
    sudo ufw status verbose
    # If anything goes wrong, you can reset ufw
    #sudo ufw --force reset
  4. Disable hyperthreading (if option not available in the bios).

  5. Check disk io/r/w transactions

    1. sudo iotop -oPa
  6. If there is a separate partition or disk that needs to be mounted and unencrypted at boot. Reference

    1. Check UUID of partitioning
      1. sudo blkid
    2. Check block size of / (root) partition for nice key size (likely 4096)
      1. sudo blockdev --getbsz /dev/mapper/system-root
    3. Create random keyfile in /root
      1. sudo dd if=/dev/urandom of=/root/keyfile bs=4096 count=1
        • the bs= value should be the block size we just found
    4. Make keyfile read only to root
      1. sudo chmod 0400 /root/keyfile
    5. Add keyfile to LUKS partition of /dev/sdX#_crypt
      1. sudo cryptsetup luksAddKey /dev/sdX#_crypt /root/keyfile
        • Enter existing password for /dev/sdX#_crypt
    6. Create mapper
      1. sudo mousepad /etc/crypttab
      2. add ‘/root/keyfile’ to replace ’none’ for /dev/sdX#_crypt
        • example: sdX#_crypt UUID=XXX /root/keyfile luks
    7. Mount the drive (if needed)
      1. sudo mousepad /etc/fstab
        • example: /dev/mapper/sdX#_crypt /<mount point> btrfs relatime 0 2
    8. Update settings in initramfs images
      1. sudo update-initramfs -u -k all
  7. TRIM for SSDs.

    1. Reference
    2. Enable Trim on dm-crypt
      1. Open /etc/crypttab
        1. sudo mousepad /etc/crypttab
        2. If needed, add ‘discard’ to the options for sdX#_crypt.
    3. Make sure LVM has ‘issue_discards=1’ in
      1. sudo mousepad /etc/lvm/lvm.conf
    4. Check encrypted drive with
      1. sudo dmsetup table /dev/mapper/sdX#_crypt
      2. make sure it has ‘1 allow_discards’
    5. Remove or check “discard” is not used in the fstab
      1. sudo mousepad /etc/fstab
    6. Run TRIM manually or check for errors
      1. sudo fstrim -v /home
    7. If any changes were made, run
      1. sudo update-initramfs -c -k all
  8. If installing in Virtualbox, install additions by

    1. sudo apt install virtualbox-guest-utils virtualbox-guest-dkms dkms
    2. To share a folder, make a permanent machine folder then run
      1. sudo usermod -a -G vboxsf username
    3. To share a USB port
      1. sudo usermod -a -G vboxusers username
  9. Set window tile keybinds similar to Microsoft Windows.

    1. Open terminal and run
      1. xfce4-settings-manager
    2. Go to window manager
      1. Open the Keyboard tab
        1. Set the “Tile window to the left” (and right)
  10. Backbutton in firefox to backsapce.

    1. Type about:config in the address bar
    2. Look for browser.backspace_action in the list
    3. Change the Value to 0.
  11. If needed, install Intel wireless driver.

    1. Download driver from
    2. Navigate to download folder
      1. tar xvzf iwlwifi-XXX.tgz
      2. cd iwlwifi-XXX/
      3. sudo cp iwlwifi-XXX.ucode /lib/firmware
  12. Check partition sizes.

    1. df -h
  13. Install packages from a newer release.

    2. apt install <package> -t groovy
  14. Modify or redirect home folder names.

    1. change in /home/username/.config/user-dir.dirs
  15. Change ownership of extra storage drives or partitions.

    1. sudo chown -R username /partition
  16. Change desktop lock keybind.

    1. Go to settings editor
    2. xfce4-keyboard-shortcuts
    3. new commands custom property
      1. property: /commands/custom/<super>l
      2. type: string
      3. value: xflock4
  17. Format a USB drive.

    1. df
    2. umount /dev/sdc1
    3. mkfs.vfat /dev/sdc1
  18. Create a dm-crypt LUKS encrypted external drive. Reference

    1. Find the external drive (assume the filesystem is /dev/sdb1 and it’s mount location /media/USERNAME/*)

    2. Unmount it

      umount /media/USERNAME/*
    3. Quickly wipe old filesystems. wipefs clears the first superblock.

      sudo wipefs -a /dev/sdb1
    4. Create the LUKS container (follow on-screen intructions)

      sudo cryptsetup luksFormat /dev/sdb1
    5. Check the passphrase iteration count. The key slot default is 1 second of PBKDF2 hashing. The volume key default (MK iterations) is 0.125 seconds. You can set the key slot with cryptsetup luksFormat -i 15000 <target device>

      sudo cryptsetup luksDump /dev/sdb1
    6. Map the container to /dev/mapper/backup1

      sudo cryptsetup luksOpen /dev/sdb1 backup1
    7. Create a filesystem in the mapped container

      sudo mkfs.btrfs --label backup1 /dev/mapper/backup1
    8. Mount the filesystem (right after creation; using lzo compression)

      mount -o compress=lzo /dev/mapper/backup1 /mnt
    9. Mount the filesystem (day to day use as a portable external drive; using lzo compression). You can either create an fstab entry or mount using the command line.

      • Using an fstab entry

        # Get the UUID of the mounted and unlocked /dev/mapper/ filesystem
        sudo blkid

      Add the following entry to /etc/fstab

       UUID=YOUR-UUID /media/backup1 btrfs noauto,defaults,noatime,compress=lzo 0 0

      Now it will automatically mount at /media/backup1. The noauto option is used in the fstab entry to prevent automatically mounting the drive at boot time. If you leave this option off, then your computer will fail to boot and you will need to edit the fstab in recovery mode. The nofail option can be used for drives that are usually going to be mounted at boot time.

       Change ownership of the new mount point so you can perform cut/copy/paste, etc.
       sudo chown -R USERNAME /media/backup1
      • Using the terminal

        # The OS will automatically mount the drive and ask for passphrase to unlock. Then...
        sudo umount /media/USERNAME/*
        sudo mount -o compress=lzo /dev/dm-4 /media/backup1
        sudo chown -R USERNAME /media/backup1
  19. Stop system error pop ups.

    Sometimes a system error will be reported and cause a warning pop up over multiple restarts. You can remove this by either

    1. sudo rm /var/crash/*
    2. gksu nano /etc/default/apport and set enabled=0
  20. Randomize MAC address.

    This is based on To randomize wifi connections, create the file /etc/NetworkManager/conf.d/00-macrandomize.conf and add the following:

    # can use 'random' or 'stable' below

    Then restart networkmanager with systemctl restart NetworkManager.

  21. Change owner of entire directory.

    sudo chown -R <username> *
  22. Let apt fix dependency issues automatically.

    sudo apt --fix-broken install
  23. GPG bug fix when adding keys behind a proxy: use the option http-proxy=

    sudo apt-key adv --keyserver --keyserver-options http-proxy=http://PROXYADDRESS --recv-keys GPGKEY
  24. Set audio level keyboard shortcuts.

    In Settings -> Keyboard -> Application Shortcuts, click add, then insert

    amixer -D pulse set Master 5%+
    amixer -D pulse set Master 5%-
    amixer -D pulse set Master toggle
  25. Fix bluetooth audio stuttering.

    Open a terminal and run

    sudo mousepad /etc/bluetooth/audio.conf

    Then add the following text to the new file:


    Finally, restart the bluetooth service

    sudo service bluetooth restart
  26. Fix bluetooth audio not working.

    Open a terminal and run

    lsmod | grep btusb
    sudo rmmod btusb
    lsmod | grep btusb
    sudo modprobe btusb
    lsmod | grep btusb
    scan on

Software install suggestions

Apt packages

# Update
sudo apt update
sudo apt dist-upgrade
# Remove unwanted software from xubuntu
sudo apt purge '^brltty.*' '^espeak.*' '^hplip.*' '^libhpmud0.*' '^libsane-hpaio.*' '^parole.*' '^printer-driver.*' '^speech-dispatcher.*' '^whoopsie.*' '^libwhoopsie0.*' '^popularity-contest.*' '^pidgin.*'
# Remove snap
sudo rm -rf /var/cache/snapd/
sudo apt autoremove --purge snapd gnome-software-plugin-snap
rm -fr ~/snap
# Prevent snap from ever being installed again
#sudo bash -c "cat > /etc/apt/preferences.d/no-snapd.pref" << EOL
# Cleanup
sudo apt autoremove
sudo apt autoclean
# Install software
# general
sudo apt install iotop software-properties-common p7zip-full curl libdbd-sqlite3 audacious texinfo libimobiledevice-dev
# r
sudo apt install jags pandoc pandoc-citeproc gcc gfortran libudunits2-dev libssl-dev libgit2-dev libssh2-1-dev
# for rstan
sudo apt install libv8-dev
# git
sudo apt install make libssl-dev libghc-zlib-dev libcurl4-gnutls-dev libexpat1-dev gettext unzip
# power
sudo apt install tlp tlp-rdw powertop
sudo tlp start
sudo powertop --auto-tune
# Install other repository software
# Repos
# R
sudo apt-key adv --keyserver --recv-keys E298A3A825C0D65DFD57CBB651716619E084DAB9
# If no response from key server, use below:
#gpg --keyserver hkp:// --recv-keys E298A3A825C0D65DFD57CBB651716619E084DAB9
#gpg -a --export E298A3A825C0D65DFD57CBB651716619E084DAB9 | sudo apt-key add -
sudo add-apt-repository "deb $(lsb_release -cs)-cran40/"
sudo add-apt-repository
# KeepassXC
sudo add-apt-repository ppa:phoerious/keepassxc
# Lyx
sudo add-apt-repository ppa:lyx-devel/release
# Libreoffice
sudo add-apt-repository ppa:libreoffice/ppa
# mpv
sudo add-apt-repository ppa:mc3man/mpv-tests
# git
sudo add-apt-repository ppa:git-core/ppa
# Virtualbox
sudo add-apt-repository "deb [arch=amd64] $(lsb_release -cs) contrib" && wget -q -O- | sudo apt-key add -
# Gimp
sudo apt-add-repository ppa:otto-kesselgulasch/gimp
# Inkscape
sudo add-apt-repository
# sublime text
wget -qO - | sudo apt-key add -
echo "deb apt/stable/" | sudo tee /etc/apt/sources.list.d/sublime-text.list
# Install
sudo apt update
# R
sudo apt install r-base r-base-dev libopenblas-base liblapack3 libcairo2-dev libxt-dev libclang-dev
# keepassXC
sudo apt install keepassxc
# Lyx
sudo apt --no-install-recommends install lyx
# libreoffice
#sudo apt --no-install-recommends install libreoffice-writer
#sudo apt install libreoffice-calc
# mpv
sudo apt install mpv
# git
sudo apt install git
# Virtualbox
sudo apt install virtualbox
# Gimp
sudo apt install gimp
# Inkscape
sudo apt install inkscape
# sublime text
sudo apt install sublime-text
# Cleanup
sudo apt update
sudo apt dist-upgrade
sudo apt autoclean
sudo apt autoremove

Manual packages

  1. Install GnuCash

    # Easiest to use flatpak?
    sudo apt install flatpak
    flatpak remote-add --if-not-exists flathub
    flatpak install flathub org.gnucash.GnuCash
    # uninstall
    #flatpak uninstall org.gnucash.GnuCash
    # Update stock quotes
    flatpak run --command=gnucash-cli org.gnucash.GnuCash --quotes get /path/to/file.gnucash
  2. Install texlive 2020. Reference

    1. Run

      sudo apt install wget perl-tk
      tar -zxvf install-tl-unx.tar.gz
      cd install-tl*
      sudo ./install-tl --gui
      • Choose the small scheme (just download fonts and packages as you need them)
      • Choose Recommended fonts, Mathematics packages, and LuaTeX packages
      • Make sure to “create symlinks in system directories”
    2. Run following from the shell. It will add the lines to /etc/environment.

      export MANPATH="$MANPATH:/usr/local/texlive/2020/texmf-dist/doc/man"
      export INFOPATH="$INFOPATH:/usr/local/texlive/2020/texmf-dist/doc/info"
      export PATH=/usr/local/texlive/2020/bin/x86_64-linux:$PATH
    3. Make apt see the local install by:

      sudo apt install equivs --no-install-recommends
      sudo apt install freeglut3
      mkdir /tmp/tl-equivs
      cd /tmp/tl-equivs
      equivs-control texlive-local
      # copy this to
      mousepad texlive-local
      equivs-build texlive-local
      sudo dpkg -i texlive-local_2020-1_all.deb
      sudo apt install -f
    4. Access tlmgr using

      • sudo tlmgr --gui
    5. Update texlive. Remove the old texlive with the commands below, then Re-run the install commands.

      # Remove old apt local install
      sudo apt remove texlive-local
      # Remove the old texlive directories
      sudo rm -rf /usr/local/texlive/2019/
      sudo rm -rf /usr/local/texlive/texmf-local/
      sudo rm -rf ~/.texlive2019/
      sudo rm -rf /var/lib/texmf/
      # Remove the old texlive symlinks (Make sure there's nothing else in there)
      sudo rm /usr/local/bin/*
      sudo -rf rm /usr/local/share/man/*
      sudo rm /usr/local/share/info/*
      # Update the font cash
      sudo fc-cache -fsv
  3. Install Redshift

    1. Install from repo

      sudo apt-get install redshift redshift-gtk
    2. Append the following to geoclue’s config with sudo nano /etc/geoclue/geoclue.conf

    3. Create a redshift config file with nano ~/.config/redshift.conf

    4. Alternative software

  4. Modify sublime text’s settings

    1. At Preferences -> Distration Free, add the line "update_check": false,
    2. Add to /etc/hosts.
  5. Install Texmaker.

  6. Install Rstudio.

  7. Install Teamviewer.

  8. Install Anydesk.

    • Download from

      sudo dpkg -i *.deb
      sudo apt install -f
    • Anydesk uses a dark pattern of forcing autostart of a background service/system tray icon. To stop it, you needed to delete the following file:

  9. Install Bleachbit.

  10. Install Brother printer drivers.

    1. Download from
      1. gunzip linux-brprinter-installer-2.*.gz
      2. sudo bash linux-brprinter-installer-2.*
      3. Enter machine name
      4. When you see the message “Will you specify the DeviceURI ?” USB Users: Choose N(No). Network Users: Choose Y(Yes).
    2. If scanner isn’t working
      1. brsaneconfig4 -a name=Scanner model='modelname' ip='ip-address'
    3. Check network mapping with
      1. nmap 'IP range'/24
Published: 2020-08-14
Last Updated: 2022-08-27